SAML service configuration

Presentation

This documentation explains how configure SAML service in LemonLDAP::NG, in particular: Service configuration will be used to generate LemonLDAP::NG SAML metadata, that will be shared with other providers. It means that if you modify some settings here, you will have to share again the metadata with other providers. In other words, take the time to configure this part before sharing metadata.

Prerequisites

Lasso

SAML2 implementation is based on Lasso. You will need a very recent version of Lasso (>= 2.3.0).
Debian/Ubuntu

There are packages available here: http://deb.entrouvert.org/.

You will only need to install liblasso3-perl package:
$ sudo apt-get install liblasso3-perl
RHEL/CentOS/Fedora


Packages should be available soon.
Other


Download the Lasso tarball and compile it on your system

Apache rewrite rules



Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in etc/portal-apache2.conf:
<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/saml/metadata /metadata.pl
        RewriteRule ^/saml/.* /index.pl
</IfModule>

Service configuration

All configuration can be done with LemonLDAP::NG Manager. Connect to it first (by default http://manager.example.com). The service configuration is done into the node SAML 2 Service.

Entry Identifier



Your EntityID, often use as metadata URL, by default http://auth.example.com/saml/metadata. Change this value to fit your portal URL, for example:

http://auth.mycompany.com/saml/metadata

Security parameters



This section concerns public and private keys, mandatory to exchange SAML messages with other providers. You have two options: Warning: private keys are not published in metadata, but they are stored in configuration backend.

You can set keys for signing and encryption. Keys for signing are mandatory, but if no keys are defined for encryption, keys for signing will be used.

Private keys can be protected by a password: in this case, set the password in the private key password field.

Public key can be a raw public key or a certificate containing the public key.

If you want to generate key from the interface, click on Private key, and the on Generate:

manager-saml-private-key.png

A password will be prompted. Leave blank if you don't want to protect the private key with a password.

The private and public are then generated in Public key and Private key fields.

NameID formats



manager-saml-namid-formats.png

SAML can use differents NameID formats. The NameID is the main user identifier, carried in SAML messages. You can configure here which field of LemonLDAP::NG session will be associated to a NameID format.

Customizable NameID formats are: For example, if you are using AD as authentication backend, you can use sAMAccountName for the Windows NameID format.

Other NameID formats are automatically managed:

Organization



This concerns all parameters for the Organization metadata section: <Organization></Organization>.

Service Provider



This concerns all parameters for the Service Provider metadata section: <SPSSODescriptor></SPSSODescriptor>.
General options
These options can then be overridden for each Identity Provider, see issuer SAML configuration.
Single Logout


For each binding you can set: manager-saml-service-sp-slo.png

Available bindings are:
Assertion Consumer


For each binding you can set: manager-saml-service-sp-ac.png

Available bindings are:
Artifact Resolution


The only authorized binding is SOAP. This should be set as Default. Location has to be adapted to fit your portal URL.

Identity Provider



This concerns all parameters for the Service Provider metadata section: <IDPSSODescriptor></IDPSSODescriptor>.
General parameters
This option can then be overridden for each serivec Provider, see SAML authentication configuration.
Single Sign On


For each binding you can set: Available bindings are:
Single Logout


For each binding you can set: Available bindings are:
Artifact Resolution


The only authorized binding is SOAP. This should be set as Default. Location has to be adapted to fit your portal URL.

Attribute Authority



This concerns all parameters for the Attribute Authority metadata section: <AttributeAuthorityDescriptor></AttributeAuthorityDescriptor>.
Attribute Service


This is the only service to configure, and it accept only the SOAP binding.

Location has to be adapted to fit your portal URL. Response Location should be empty, as SOAP responses are directly returned (synchronous binding).

Advanced



These parameters are not mandatory to run SAML service, but can help to customize it: